hcna-hntd v2.0 intermediate materials (march 17,2014)

7/21/2019 HCNA-HNTD V2.0 Intermediate Materials (March 17,2014)

http://slidepdf.com/reader/full/hcna-hntd-v20-intermediate-materials-march-172014 1/360

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1

The privilege of HCNA/HCNP/HCIE:With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:

1

Comprehensive E-Learning Courses

Content：All Huawei Career Certification E-Learning courses

Methods to get the E-learning privil g : submit Huawei Account and email being used for Huawei Account

registration to [email protected] .

2

Training Material Download

Content: Huawei product training material and Huawei career certification training material

Method：Logon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can

download training material in the specific training introduction page.

3 Priority to participate in Huawei Online Open Class LVC)

Content：The Huawei career certification training covering all ICT technical domains like R&S, UC&C, Security,

Storage and so on, which are conducted by Huawei professional instructors

Method：The plan and participate method please refer to LVC Open Courses Schedule

4

Learning Tool: eNSP

eNSP (Enterprise Network Simulation Platform) is a graphical network simulation tool which is developed by

Huawei and free of charge. eNSP mainly simulates enterprise routers, switches as close to the real hardware as

it possible, which makes the lab practice available and easy without any real device.

In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with

Huawei experts , share exam experiences with others or be acquainted with Huawei Products(

http://support.huawei.com/ecommunity/）

http://learning.huawei.com/en

mailto:[email protected]


http://support.huawei.com/ecommunity/

http://support.huawei.com/ecommunity/






Huawei Certification

HCNA – HNTD

INTERMEDIATE

Huawei Networking Technology and Device



Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any

means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co.,

Ltd. All other trademarks and trade names mentioned in this document are theproperty of their respective holders.

Notice

The information in this document is subject to change without notice. Every effort

has been made in the preparation of this document to ensure accuracy of the

contents, but all statements, information, and recommendations in this documentdo not constitute the warranty of any kind, express or implied.




Huawei Certification SystemRelying on its strong technical and professional training and certification system

and in accordance with customers of different ICT technology levels, Huawei

certification is committed to providing customers with authentic, professional

certification, and addresses the need for the development of quality engineers

that are capable of supporting enterprise networks in the face of an ever changing

ICT industry. The Huawei certification portfolio for routing and switching (R&S) is

comprised of three levels to support and validate the growth and value of

customer skills and knowledge in routing and switching technologies.

The Huawei Certified Network Associate (HCNA) certification validates the skills

and knowledge of IP network engineers to implement and support small to

medium-sized enterprise networks. The HCNA certification provides a rich

foundation of skills and knowledge for the establishment of such enterprise

networks, along with the capability to implement services and features within

existing enterprise networks, to effectively support true industry operations.

HCNA certification covers fundamental skills for TCP/IP, routing, switching and

related IP network technologies, together with Huawei data communications

products, and skills for versatile routing platform (VRP) operation andmanagement.



ForewordOutline

The HNTD guide contains content relating to the HCDA certification, for

development of engineers who wish to prepare for the HCNA-HNTD examination

or familiarize with TCP/IP technologies and protocols, as well as LAN, WAN

technologies and products, including VRP.

Content

This book contains a total of five modules, introducing technologies for enhancing

enterprise networks for business application, and introduces solutions for link

layer operations, WAN, IP security, network management, and IPv6 technologies

as well as guidelines for configuration and implementation using VRP.

Module 1 introduces link layer features and services, including link aggregation

solutions, VLAN and GVRP, for the enhancement of link layer efficiency within the

enterprise network.

Module 2 outlines the basic principles of technologies for Wide Area Networks

(WAN) including HDLC, PPP, Frame Relay, PPPoE and NAT, with VRPconfiguration for the implementation of effective WAN solutions.



Scope

The HNTD guide focuses on providing a naturally progressive path of learning

towards developing expertise in the implementation and maintenance of Huawei

enterprise networks. The step-by-step training establishes a firm foundational

knowledge of data communications, and establishment of fundamental

networking, with gradual implementation of switching, routing, WAN, security

technologies and services to establish industry relevant enterprise networks. The

modularity of the guide allows for selective reading to accommodate for eachstage of personal development.

Prerequisites

As an associate level course for Huawei certification, the reader is expected to

have a working knowledge of IT technologies, and competency in all topics

covered in HCNA-HNTD Entry.



Icons Used in This Book

Router Convergence switch Access switch Hub Access Point

Telephone Access server Host Terminal Portable computer IP telephone

RADIUS Server Mail Server Storage server App Server Firewall



Table of ContentsIntroduction- Advanced Enterprise Network Solutions ................................... Page 11

Advanced Enterprise Solutions Overview .................................................. Page 13

Module 1- Local Enterprise Network Features and Services .......................... Page 25

Link Aggregation ......................................................................................... Page 27

VLAN Principles .......................................................................................... Page 40

GARP & GVRP ........................................................................................... Page 69

VLAN Routing ............................................................................................. Page 86

Wireless LAN Overview ............................................................................ 0

Module 2-Connecting Beyond the Enterprise Network ................................. Page 111

Bridging Enterprise Networks with Serial WAN Technology .................... Page 113

Frame Relay Principles ............................................................................ Page 141

Establishing DSL Networks with PPPOE ................................................. Page 157

Network Address Translation ................................................................... Page 177

Establishing Enterprise Radio Access Network Solutions ........................ Page 197

Module 3-Securing the Enterprise Network .................................................... Page 211 Access Control Lists ................................................................................. Page 213




Introduction

Advanced Enterprise Network

Solutions



The establishment of local and internetwork connectivity through TCP/IP

protocols represents the foundation of the enterprise network, however does

not represent a complete solution to enabling an enterprise network to bebusiness ready. As an enterprise grows, so do the requirements for the

network on which it is supported. This includes the implementation of effective



Huawei enterprise networks must be capable of providing solutions for a

variety of scenarios, such as dense user access, mobile office, VoIP,

videoconference and video surveillance, access from outside the campus

network, and all-round network security.

Huawei enterprise solutions therefore must meet customer requirements on

network performance, scalability, reliability, security, and manageability, whilst

also simplifying network construction.



The enterprise network is required to be capable of establishing connectivity

via a multitude of telecom service provider networks, building on an ever

growing requirement for support of integrated and converged networks. Intaking advantage of the ubiquitous nature of IP, it is important that the

enterprise network be capable of supporting all services necessary in



Maintaining efficiency of operation in an enterprise network requires that traffic

flow is greatly optimized and redundancy is implemented to ensure that in the

case of any device or link failure, isolation of users and resources will notoccur. A two-node redundant design is implemented as part of enterprise

network design to enhance network reliability, however a balance is required



Network security plays an ever increasing role in the enterprise network. The

initial development of TCP/IP was never done so with the issue of security in

mind, and therefore security implementations have gradually been introducedto combat ever growing threats to IP networks. Security threats are capable of

originating both from inside and outside of the enterprise network and



The growth of intelligent network designs help to facilitate operations and

maintenance (O&M) for which Huawei network solutions provide means for

intelligent power consumption management, intelligent fast networkdeployment, and intelligent network maintenance.



As the industry continues to evolve, new next generation enterprise solutions

are introduced including the prominence of cloud technology providing cloud

service solutions to infrastructure, platforms, software etc, to meet the needs

of each customer. Along with this is the need for support of enterprise built

data centers and infrastructure designs allowing for constant expansion in



1. The DMZ represents a location that is part of the enterprise network,

however the DMZ exists within a location that allows the services to be

accessed from both an external location and internally, without allowingexternal users permission to access locations associated with internal

users. This provides a level of security that ensures data never flows




Module 1

Local Enterprise Network

Features and Services



Link aggregation refers to the implementation of a trunk link that acts as a

direct point-to-point link, between two devices such as peering routers,

switches, or a router and switch combination at each end of the link. The link

aggregation comprises of links that are considered members of an Ethernet

trunk, and build an association which allows the physical links to operate as a



Link aggregation is often applied in areas of the enterprise network where high

speed connectivity and the potential for congestion is likely to occur. This

generally equates to the core network where responsibility for high speed

switching resides, and where traffic from all parts of the enterprise network

generally congregates before being forwarded to destinations either in other



Link aggregation supports two modes of implementation, a manual load

balancing mode and static LACP mode. In load balancing mode, member

interfaces are manually added to a link aggregation group (LAG). All of the

interfaces configured with load balancing are set in a forwarding state. The

AR2200 can perform load balancing based on destination MAC addresses,



As a logical interface for binding multiple physical interfaces and relaying

upper-layer data, a trunk interface must ensure that all parameters of the

physical interfaces (member interfaces) on both ends of the trunk link be

consistent. This includes the number of physical interfaces, the transmission

rates and duplex modes of the physical interfaces, and the traffic-control



To prevent the disorder of frames, a frame forwarding mechanism is used to

ensure that frames in the same data flow reach the destination in the correct

sequence. This mechanism differentiates data flows based on their MAC

addresses or IP addresses. In this manner, frames belonging to the same dataflow are transmitted over the same physical link. After the frame forwarding

mechanism is used, frames are transmitted based on the following rules:

Frames with the same source MAC addresses are transmitted over the same

physical link.

Frames with the same destination MAC addresses are transmitted over the

same physical link.

Frames with the same source IP addresses are transmitted over the samephysical link.

Frames with the same destination IP addresses are transmitted over the same

physical link.

Frames with the same source and destination MAC addresses are transmitted

over the same physical link.

Frames with the same source and destination IP addresses are transmitted

over the same physical link.



Establishment of Link Aggregation is achieved using the interface Eth-trunk

<trunk-id> command. This command creates an Eth-Trunk interface and

allows for the Eth-Trunk interface view to be accessed. The trunk-id is a value

used to uniquely identify the Eth-trunk, and can be any integer value from 0

through to 63. If the specified Eth-Trunk already exists, it is possible to directly



In order to configure layer 3 Link Aggregation on an Ethernet trunk link, it is

necessary to transition the trunk from layer 2 to layer 3 using the undo

portswitch command under the Eth-trunk logical interface. Once the undo

portswitch command has been performed, an IP address can be assigned to

the logical interface and the physical member interfaces that are to be



Using the display interface eth-trunk <trunk-id> command it is possible to

confirm the successful implementation of Link Aggregation between the two

peering devices. The command can also be used to collect traffic statistics

and locate faults on the interface.

The current state of the Eth-trunk is set to UP signaling that the interface is



1. A Fast Ethernet interface and a Gigabit Ethernet interface cannot be

added to the same Eth-trunk interface, any attempt to establish member

links of different types will result in an error specifying that the trunk has

added a member of another port-type. It should be noted that the S5700

series switch supports Gigabit Ethernet interfaces only, however this



As local networks expand, traffic increases and broadcasts become more

common. There are no real boundaries within such an expanding network,

causing interrupts and growing traffic utilization to occur. Traditionally, the

alternative option was to implement a layer three device within the local

network to generate broadcast domains, however in doing so additional



The principle of VLAN technology was introduced that enabled traffic isolation

at the data link layer. VLAN technology has the added advantage of traffic

isolation without the limitation of physical boundaries. Users can be physically

dispersed but still be associated as part of a single broadcast domain, logically

isolating users from other user groups at the data link layer. Today VLAN



VLAN frames are identified using a tag header which is inserted into the

Ethernet frame as a means of distinguishing a frame associated with one

VLAN from frames of another. The VLAN tag format contains a Tag Protocol

Identifier (TPID) and associated Tag Control Information (TCI). The TPID is

used to identify the frame as a tagged frame, which currently only refers to the



VLAN links can be classified into two types, an access link type and a trunk

link type. The access link refers to the link between an end system and a

switch device participating in VLAN tagging, the link between host terminals

and switches are all access links. A trunk link refers to the link over which

VLAN tagged frames are likely to be carried. The links between switches are



Each interface of a device participating in VLAN tagging will be associated

with a VLAN. The default VLAN for the interface is recognized as the Port

VLAN ID (PVID). This value determines the behavior that is applied to any

frames being received or transmitted over the interface.



Access ports associate with access links, and frames that are received will be

assigned a VLAN tag that is equal to the Port VLAN ID (PVID) of the interface.

Frames being transmitted from an interface will typically remove the VLAN tag

before forwarding to an end system that is not VLAN aware. If the tag and thePVID vary however, the frame will not be forwarded and therefore discarded.



For trunk ports that are associated with trunk links, the Port VLAN ID (PVID)

will identify which VLAN frames are required to carry a VLAN tag before

forwarding, and which are not. The example demonstrates a trunk interface

assigned with a PVID of 10, for which it should be assumed that all VLANs are

permitted to traverse the trunk link. Only frames associated with VLAN 10 will



Hybrid represents the default port type for Huawei devices supporting VLAN

operation and provides a means of managing the tag switching process

associated for all interfaces. Each port can be considered as either a tagged

port or an untagged port. Ports which operate as access ports (untagged) andports which operate as trunk ports (tagged).



VLAN assignment can be implemented based on one of five different

methods, including Port based, MAC based, IP Subnet based, Protocol based

and Policy based implementations. The port based method represents the

default and most common method for VLAN assignment. Using this method,VLANs are classified based on the port numbers on a switching device. The



The implementation of VLANs begins with the creation of the VLAN on the

switch. The vlan<vlan-id> command is used to initially create the VLAN on the

switch which can be understood to exist once the user enters the VLAN view

for the given vlan as demonstrated in the configuration example. The VLAN IDranges from 1 to 4094 and where it is necessary to create multiple VLANs for



Once the VLANs have been created, the creation can be verified using the

display vlan command. The command allows information about all VLANs to

be specified, and if no parameter is specified, brief information about all

VLANs is displayed. Additional parameters include display vlan <vlan-id>verbose command, used to display detailed information about a specified



The configuration of the port link type is performed in the interface view for

each interface on a VLAN active switch. The default port link type on Huawei

switch devices is hybrid. The port link-type <type> command is used to

configure the port link type of the interface where the type can be set asaccess, trunk or hybrid. A fourth QinQ option exists but is considered outside



The association of a port with a created VLAN can be achieved using two

configuration methods, the first of those is to enter the VLAN view and

configure the interface to be associated with the VLAN using the port

<interface> command. The second means of assigning ports to VLANsinvolves accessing the interface view for the interface to be added to a VLAN



The display vlan command can be used to verify the changes made to the

configuration and confirm the association of port interfaces with the VLANs to

which the ports have been assigned. In the display example port interfaces

Gigabit Ethernet 0/0/5 and Gigabit Ethernet 0/0/7 can be identified as beingassociated with VLANs 2 and 3 respectively. The UT value identifies that the



The assigning of the port link type of trunk interfaces enables the trunk to

support the forwarding of VLAN frames for multiple VLANs between switches,

however in order for frames to be carried over the trunk interface, permissions

must be applied. The port trunk allow-pass vlan <vlan-id> command is used toset the permission for each VLAN, where vlan-id refers to the VLANs to be



The changes to the VLAN permissions can again be monitored through the

display vlan command, for which the application of VLANs over the trunk link

are reflected. The TG value identifies that VLANs have been associated with a

tagged interface either over a trunk or tagged hybrid port interface. In thedisplay example, VLANs 2 and 3 have been given permission to traverse the



Hybrid port configuration represents the default port type on switch port

interfaces and therefore the command port link-type hybrid is generally only

necessary when converting the port link type from an access or a trunk port

link type. Each port however may require to be associated with a default PortVLAN ID (PVID) over which frames are required to be either tagged or



For ports that are to operate as trunk ports, the port hybrid tagged vlan <vlan-

id> command is used. It should be clearly noted that the use of this command

multiple times under the same interface view shall result in the interface being

associated with all VLANs specified, with the associated VLAN frames beingtagged before forwarding. In the example the hybrid port interface Gigabit



Through the display vlan command, the results of the tagged and untagged

hybrid port configuration can be verified. Interface Gigabit Ethernet 0/0/7 has

been established as a VLAN 2 untagged interface, while interface Gigabit

Ethernet 0/0/5 has been established as an untagged interface associated withVLAN 3. In terms of both VLAN 2 and VLAN 3, frames associated with either



Switch port interfaces can use the port hybrid untagged vlan <vlan-id> [to

<vlan-id>] command to apply the untagged behavior on a port interface for

multiple VLANs in a single batch command. This behavior enables hybrid

interfaces to permit the untagged forwarding of traffic from multiple VLANs to agiven end system. All traffic forwarded from the end system is associated with



The command port hybrid untagged vlan 2 to 3 on interface Gigabit Ethernet

0/0/4 results in the interface applying untagged behavior to both VLAN 2 and

VLAN 3. This means that any traffic forwarded from a host associated with

either VLAN, to an end system associated with Gigabit Ethernet interface0/0/4, can be successfully received.



The growth of IP convergence has seen the integration of multiple

technologies that allows High Speed Internet (HSI) services, Voice over IP

(VoIP) services, and Internet Protocol Television (IPTV) services to be

transmitted over a common Ethernet & TCP/IP network. These technologiesoriginate from networks consisting of different forms of behavior. VoIP is



Configuration of the voice VLAN involves the configuring of a specified VLAN

using the voice-vlan <vlan-id> enable command. The voice VLAN can be

associated with any VLAN between 2 and 4094. The voice-vlan mode <mode>

command specifies the working mode, by which a port interface is added to avoice VLAN. This is set by default to occur automatically however can be also



The display voice-vlan status command allows voice VLAN information to be

viewed, including the status, security mode, aging time, and the interface on

which the voice VLAN function is enabled. The status determines whether

voice VLAN is currently enabled or disabled. The security-mode can exist inone of two modes, either normal or security. The normal mode allows the



1. The PVID on a trunk link defines only the tagging behavior that will be

applied at the trunk interface. If the port trunk allow-pass vlan 2 3

command is used, only frames associated with VLAN 2 and VLAN 3 will

be forwarded over the trunk link.



The Generic Attribute Registration Protocol (GARP) is the architecture on

which the registration, deregistration and propagation of attributes between

switches is enabled. GARP is not an entity in itself but instead is employed by

GARP applications such as GVRP to provide a shell on which the rules foroperation are supported. Interfaces that are associated with GARP



PDUs are sent from a GARP participant and use multicast MAC address 01-

80-C2-00-00-21 as the destination MAC address. When a device receives a

packet from a GARP participant, the device identifies the packet according to

the destination MAC address of the packet and sends the packet to thecorresponding GARP participant (such as GVRP). GARP uses messages



When a GARP participant expects other devices to register its attributes, it

sends Join messages to other devices. When a GARP participant receives a

Join message from another participant, or is statically configured with

attributes, it sends Join messages to other devices to allow the devices toregister the new attributes. Join messages are classified into JoinEmpty



Leave messages are used when a GARP participant expects other devices to

deregister its attributes, it sends Leave messages to other devices. When the

GARP participant receives a Leave message from another participant or some

of its attributes are statically deregistered, it also sends Leave messages toother devices. Leave messages are classified into LeaveEmpty messages and



Leave All messages are applied when a GARP participant when the

participant wishes to request other GARP participants deregister all the

attributes of the sender.

The Join, Leave, and Leave All messages are used to control registration and

deregistration of attributes Through GARP messages all attributes that need



GVRP is an application of GARP, and based on the working mechanism of

GARP, GVRP maintains dynamic VLAN registration information in a device

and propagates the registration information to other devices.

After GVRP is enabled on the switch, it can receive VLAN registration

information from other devices and dynamically update local VLAN



The registration can be achieved either statically or dynamically. A manually

configured VLAN is a static VLAN, and a VLAN created through GVRP is a

dynamic VLAN.



In the normal registration mode, the GVRP interface can dynamically register

and deregister VLANs, and transmit both dynamic VLAN registration

information and static VLAN registration information.



In the fixed mode, the GVRP interface is restricted from dynamically

registering and deregistering VLANs and can transmit only the static

registration information. If the registration mode of a trunk interface is set to

fixed, the interface allows only the manually configured VLANs to pass, even ifit is configured to allow all VLANs to pass.



In the forbidden mode, the GVRP interface is disabled from dynamically

registering and deregistering VLANs and can transmit only information about

VLAN 1. If the registration mode of a trunk interface is set to forbidden, the

interface allows only VLAN 1 to pass even if it is configured to allow all VLANsto pass.



The configuration of GVRP relies on the protocol attribute being firstly enabled

in the system-view before it can be applied at an interface-view. The

command gvrp is used to enable GVRP on the device. Once an interface has

been configured to operate as part of the VLAN, GVRP can be applied to theinterface using the gvrp command at the interface-view. The registration



Verifying the configuration for GVRP involves entering the display gvrp status

command. This will simply identify whether GVRP has been enabled on the

device. The display gvrp statistics command can provide a little more

information regarding the configuration for each interface (participant) that iscurrently active in GVRP. From the example, it is possible to identify the



1. The normal registration mode is used by default.

2. The ports for the links between each of the devices supporting GVRPmust be established as VLAN trunk ports in order to allow the VLAN

i f ti t b t d



The general principle of VLAN implementation is to isolate networks as a

means of minimizing the size of the existing broadcast domain, however in

doing so, many users are cut off from other users within other VLAN domains

and require that layer three (IP) communication be established in order forthose broadcast domains to re-establish communication through reachable



After VLANs are configured, the hosts in different VLANs are unable to directly

communicate with each other at Layer 2. It is therefore necessary to facilitate

the communication through the creation of routes between VLANs. There are

generally two main methods via which this is achieved, the first relies on theimplementation of a router connected to the layer 2 switch. VLAN



In order to allow communication over a single trunk interface, it is necessary to

logically segment the physical link using sub-interfaces. Each sub-interface

represents a logical link for the forwarding of VLAN traffic before being routed

by the router via other logical sub-interfaces to other VLAN destinations. Eachsub-interface must be assigned an IP address in the same network segment



The trunk link between the switch and the router must be established for

support of traffic for multiple VLANs, through the port link-type trunk or port

link-type hybrid command as well as the port trunk allow-pass vlan 2 3 or port

hybrid vlan 2 3 command respectively. Once the trunk is established, theVLAN sub-interfaces must be implemented to allow the logical forwarding of



The sub-interface on a router is defined in the interface view using the

interface <interface-type interface-number.sub-interface number> command

where the sub-interface number represents the logical interface channel within

the physical interface. The command dot1q termination vid <vlan-id> is usedto perform two specific functions. Where a port receives a VLAN packet, it will



Following the configuration of VLAN routing between VLAN 2 and VLAN 3, the

ping application can be used to verify reachability. The example demonstrates

how Host A (192.168.2.2) in VLAN 2 is capable of reaching Host B

(192.168.3.2) in VLAN 3. The TTL reflects that the packet has traversed therouter to reach the destination in VLAN 2.



VLAN routing when using a layer 3 switch relies on the implementation of

VLAN interfaces (VLANIF). If multiple users on a network belong to different

VLANs, each VLAN requires a VLANIF which must associate with an IP

address. If a large number of VLANs exist however this can tally up to a largenumber of IP addresses being required to support the VLANIF, as well as the



Configuration of VLAN routing on a switch operating at layer 3 requires that

the VLANs be initially created and the interfaces be assigned to those

respective VLANS. The configuration follows the principles for configuration of

VLANs covered as part of the VLAN principles. This involves defining the portlink-type for each port and the PVID that is associated with each port interface.



Configuration of VLAN routing is implemented by creating VLAN interfaces

that are to operate as gateway interfaces for each VLAN within the layer 3

switch. Entering the VLANIF view is achieved via the interface vlanif <vlan-id>

command, where the vlan-id refers to the associated VLAN. The IP addressfor the interface should be in the same network segment as the hosts. This IP



1. The dot1q termination vid <vlan-id> command is used to perform two

specific functions. Where a port receives a VLAN packet, it will initially

remove the VLAN tag from the frame and forward this packet via layer 3

routing. For packets being sent out, the port adds a tag to the packetbefore sending it out, in accordance with the respective VLAN and IP



The Wireless Local Area Network (WLAN) is seen as a rapidly developing

future network technology, to which many enterprise networks are gradually

transitioning towards, with the expectation that wired Ethernet networks used

today as the primary network infrastructure in nearly all enterprise businesseswill eventually be superseded by WLAN solutions, and provide reliable



The evolution of enterprise networks involving WLAN have undergone three

general phases since the 1980’s, from fixed office, to supporting early mobile

office solutions through the use of standalone access points (AP) that provided

only limited coverage and mobility for users, to a more centralized form ofWLAN involving management of multiple (thin) AP clients by a central



IEEE 802.11 represents the working group that supports the development of

all Wireless LAN standards, originating in 1997 with initial standards that

worked within a 2.4GHz range and relatively low frequency rates of up to

2Mbps. The evolution of standards saw the introduction of the 802.11a and802.11b standards which operated under the 5GHz and 2.4GHz signal bands



Wireless network deployment solutions over existing Ethernet networks

commonly apply a two-layer architecture that is capable of meeting customer

requirements, with minimal impact to the physical structure of the enterprise

campus.Access Controllers (AC) are deployed at the core layer of the network and



Each Access Point (AP) within a wireless local area network is designed to

provide a level of coverage that encompasses the surrounding area of the

established enterprise campus. A single AP is considered to have a finite

range that may vary depending on a number of factors and objects that arecapable of interfering with the general signal range, through imposing greater



Multiple security mechanisms have been devised for maintaining the overall

integrity of the wireless enterprise. The implementation of perimeter security

as a means of protecting 802.11 networks from threats such as

implementation of unauthorized APs and users, ad-hoc networks, and denialof service (DoS) attacks is an example of a typical wireless solution.



1. A growing majority of employees require mobility within an enterprise

network as part of daily work procedures, whether for meetings or

collaboration, which fixed line networks generally limit. Adoption of WLAN

allows for greater mobility and also flexibility in the number of usersconnecting to the enterprise network.




Module 2

Connecting Beyond the

Enterprise Network



Serial connections represent a form of legacy technology that has commonly

been used for the support of Wide Area Network (WAN) transmissions. The

transmission of data as electrical signals over a serial link again requires a

form of signaling to control the sending and receiving of frames as found withEthernet. Serial connections define two forms of signaling that may be used



The High-level Data Link Control (HDLC) is a bit-oriented data link protocol

that is capable of supporting both synchronous and asynchronous data

transmissions. A complete HDLC frame consists of the Flag fields that are

used to mark the start and end of a HDLC frame, often as 01111110, or01111111 when a frame is to be suddenly aborted and discarded. An address



Establishment of HDLC as the link layer protocol over serial connections

requires simply that the link protocol be assigned using the link-protocol hdlc

command under the interface view for the serial interface that is set to use the

protocol. The configuration of the link protocol must be performed on bothpeering interfaces that are connected to the point to point network before



When an interface has no IP address, it cannot generate routes or forward

packets. The IP address unnumbered mechanism allows an interface without

an IP address to borrow an IP address from another interface. The IP address

unnumbered mechanism effectively enables the conservation of IP addresses,and does not require that an interface occupy an exclusive IP address all of



Through the display ip interface brief command, a summary of the address

assignment is output. In the event of assigning an unnumbered address, the

address value will display as being present on multiple interfaces, showing

that the IP address has been successfully borrowed from the logical loopbackinterface for use on the physical serial interface.



The Point-to-Point Protocol (PPP) is a data link layer protocol that

encapsulates and transmits network layer packets over point-to-point (P2P)

links. PPP supports point-to-point data transmission over full-duplex

synchronous and asynchronous links.PPP is built upon the Serial Line Internet Protocol (SLIP) PPP supports both



PPP encapsulation provides for multiplexing of different network-layer

protocols simultaneously over the same link however in today’s networks, the

capability of PPP requires generally an IP only solution. The versatility of PPP

to accommodate a variety of environments is well supported through LinkControl Protocol (LCP). In order to establish communications over a point-to-



This initiation and termination of a PPP link begins and ends with the dead

phase. When two communicating devices detect that the physical link between

them is activated (for example, carrier signals are detected on the physical

link), PPP will transition from the Dead phase into the Establish phase. In theEstablish phase, the two devices perform an LCP negotiation to negotiate the



PPP generally adopts a HDLC like frame architecture for the transmission

over serial connections. Flag fields are adopted to denote the start and the

end of a PPP frame which is identifiable from the binary sequence 01111110

(0x7E). The address field, although present, is not applied to PPP as is thecase with HDLC and therefore must always contain a 11111111 (0xFF) value,



As part of the LCP negotiation, a number of message types are defined that

enable parameters to be agreed upon before a PPP data link is established. It

is necessary that the two communicating devices negotiate the link layer

attributes such as the MRU and authentication mode. In order to achieve this,various messages are communicated.



Some of the common configuration options that are negotiated and carried as

part of the LCP packet include the MRU, Authentication protocol supported by

the sending peer as well as the magic number.

The magic number provides a method to detect looped-back links and otheranomalies at the data link layer In the case where a Configure-Request is



The sequence of events leading to the establishment of PPP between two

peers is initiated by the sending of a Configure-Request message to the

peering device. Upon receiving this message, the receiver must assess the

configuration options to determine the message format to respond with. In theevent that all configuration options received are acceptable and recognized,



Following the initial transmission of the Configure-Request as part of PPP

negotiation, it is also possible that a Configure-Nak be returned, in particular

where all configuration options are recognized, but some values are not

accepted. On reception of the Configure-Nak message a new Configure-Request is generated and sent, however the configuration options may



For PPP LCP negotiation in which one or multiple configuration options

received in a Configure-Request are unrecognized or considered not

acceptable for negotiation, a Configure-Reject message is transmitted.

Reception of a valid Configure-Reject indicates that when a new Configure-

Request be sent, and any configuration options that are carried together with



Establishment of PPP requires that the link layer protocol on the serial

interface be specified. For ARG3 series of routers, PPP is enabled by default

on the serial interface. In the event where the interface is currently not

supporting PPP, the link-protocol ppp command is used to enable PPP at the

data link layer. Confirmation of the change of encapsulation protocol will be



The Password Authentication Protocol (PAP) is a two-way handshake

authentication protocol that transmits passwords in plain text. PAP

authentication is performed during initial link establishment. After the Link

Establishment phase is complete, the user name and password are repeatedly

sent by the peer to the authenticator until authentication is acknowledged or



The Challenge Handshake Authentication Protocol (CHAP), is used to

periodically verify the identity of the peer using a three-way handshake. This is

done upon initial link establishment, and can be repeated periodically. The

distinguishing principle of CHAP lies in the protection given through avoiding

transmission of any password over the link, instead relying on a challenge and



The IP Control Protocol (IPCP) is responsible for configuring, enabling, and

disabling the IP protocol modules on both ends of the point-to-point link. IPCP

uses the same packet exchange mechanism as the Link Control Protocol

(LCP). IPCP packets may not be exchanged until PPP has reached the

Network phase. IPCP packets received before this phase is reached are



A local device operating as a client and needing to be assigned an IP address

in the range of the remote device (server) must make a request for a valid

address by applying the ip address-ppp negotiate command on the physical

interface with which the client peers with the server. Through this method, a

client can retrieve a valid address. This is applicable in scenarios such a



PAP authentication can be implemented where PPP is the link layer protocol

and IP addressing enables network layer reachability between the peering

devices. The establishment of PAP authentication requires that one peer

operates as the authenticator in order to authenticate an authenticated peer.

The PPP PAP authenticator is expected to define the authentication mode, a



Through debugging commands which provide a real-time output of events in

relation to specific protocols, the authentication request process can be

viewed. As displayed in the example, a PAP authentication request is

performed to which authentication establishment is deemed successful.



In CHAP authentication, the authenticated device sends only the user name to

the authenticating device. CHAP is understood to feature higher security since

passwords are not transmitted over the link, instead relying on hashed values

to provide challenges to the authenticated device based on the configured

password value on both peering devices. In its most simplest form, CHAP may



Debugging of the CHAP authentication processes displays the stages involved

with CHAP authentication, originating from listening on the interface for any

challenges being received following the LCP negotiation. In the event that a

challenge is sent, the authenticated device must provide a response for which

a hash value is generated, involving the set authentication parameters on the



1. A Configure-Ack message is required in order to allow the link layer to be

successfully established when using PPP as the link layer encapsulation

mode.

2 Th I t t P t l C t l P t l (IPCP) i d t ti t th IP



Working at the data link layer of the Open System Interconnection (OSI)

model, Frame Relay (FR) is a technique that uses simple methods to transmit

and exchange data. A distinct feature of Frame Relay is that it simplifies

processes of error control, confirmation and re-transmission, traffic control,

and congestion prevention over its predecessor protocol X.25 on packet



Frame Relay is a packet switched network technology that emulates circuit

switched networks through the establishment of virtual circuits (VC) that are

used to establish a path between Frame Relay devices at each end of the

network. Every VC uses Data Link Connection Identifiers (DLCI) to define a

Frame Relay channel that is mapped across the Frame Relay network to an



Frame Relay is a statistical multiplexing protocol. It provides multiple VCs on a

single physical line. DLCI are applied to differentiate VCs. It is valid only on

the local interface and the directly connected peer interface but not valid

globally. On a Frame Relay network, the same DLCI on different physical

interfaces does not indicate the same VC.



In the PVC, both the network devices and user devices need maintain an

awareness of the current status of each PVC. The protocol that monitors the

PVC status is called the Local Management Interface (LMI) protocol. The LMI

protocol maintains the link and PVC status of the Frame Relay through status

enquiry packets and status packets. The LMI module is used to manage the



The main function of Inverse ARP is to resolve the IP address of the remote

device that is connected to every VC. If the protocol address of the remote

device that is connected to a VC is known, the mapping between the remote

protocol address and DLCI can be created on the local end, which can avoid

configuring the address mapping manually.



Routing protocols such as RIP and OSPF are used to provide the means for

routing traffic at the network layer between the source and the destination,

while frame relay provides the underlying technology to facilitate the data link

communication. Frame relay interfaces naturally may involve multiple virtual

circuits over a single physical interface. The network layer protocols however



A more effective means to resolve issues arising from the implementation of

split horizon over frame relay networks, is to apply logical sub-interfaces to a

single physical interface. Frame Relay sub-interfaces can be classified into

two types.

Point-to-point sub-interfaces are used to connect a single remote device Each



The configuration of dynamic address mapping for frame relay PVC requires

that the Inverse Address Resolution Protocol (InARP) be used.

Implementation of dynamic mapping requires that the link layer protocol type

be set as frame relay using the link-protocol fr command. Once the interface

link layer protocol has been changed, the interface on the customer edge



Using the display fr pvc-info command, it is possible to discover all permanent

virtual circuits (PVC) associated with the local interface. In this instance a

single PVC exists and the circuit is established with the support of the inverse

ARP protocol. The presence of inbound and outbound packets informs that the

frame relay mapping has been successful through Inverse ARP, and that



The fr map ip [destination-address [ mask ] dlci-number ] command configures

a static mapping by associating the protocol address of a peer device with the

frame relay address (DLCI value) of the local device. This configuration helps

upper-layer protocols locate a peer device based on the protocol address of

the peer device. If the DCE is configured with static address mapping and the



The state of the PVC can be determined through the display fr pvc-info

command. Each PVC that has been created is defined along with the interface

for which the PVC is associated, the local DLCI number and also the current

status of the DLCI. A fully operational PVC can be determined by an active

status, whereas a non operational PVC is given an inactive status. The usage



1. The frame Relay PVC status will display as INACTIVE in the event that

LMI negotiation messages have not been successfully exchanged. This

may be caused when the interface with the PVC is inadvertently shut

down, or the interface configured with the PVC failed to negotiate with the

peer. An administrator would be required to therefore check the LMI



DSL represents a form of broadband technology that utilizes existing

telephony networks to allow for data communications. Communication is

facilitated through a remote transceiver unit, or modem at the customer

premises, which communicates over the existing telephone lines to a central

office transceiver unit that takes the form of the Digital Subscriber Line Access



PPPoE refers to the encapsulation of PPP within Ethernet frames to support a

connection over broadband technologies to a PPPoE broadband remote

access server (BRAS), located within the service provider network. This is

used to support the authentication and accounting process before access to

the remote network such as the Internet is provided. The router RTA operates



PPPoE has two distinct stages, initially there is a Discovery stage followed by

a PPP Session stage. When a client wishes to initiate a PPPoE session, it

must first perform Discovery for which four stages are involved and rely on

four individual packet types for the discovery process. These include the

PPPoE Active Discovery Initiation (PADI), PPPoE Active Discovery Offer



In the Discovery stage, when a client (RTA) accesses a server using PPPoE,

the client is required to identify the Ethernet MAC address of the server and

establish a PPPoE session ID. When the Discovery stage is complete, both

peers know the PPPoE Session_ID and the peer Ethernet address. The

PPPoE Session ID and peer Ethernet address define the unique PPPoE



The servers that can provide the requested services send back PPPoE Active

Discovery Offer (PADO) packets. The client (RTA) can receive more than one

PADO packet from servers. The destination address is the unicast address of

the client that sent the PADI packet. The Code field is set to 0x07 and the

Session ID field must be set to 0x0000.



Since the PADI packet is broadcast, the client can receive more than one

PADO packet. It looks through all the received PADO packets and chooses

one based on the AC-Name or the services offered by the PADO packet. The

client looks through the PADO packets to choose a server, and sends a

PPPoE Active Discovery Request (PADR) packet to the chosen server. The



When receiving a PADR packet, the access server prepares to begin a

PPPoE session. It generates a unique session ID for the PPPoE session and

replies to the client with a PPPoE Active Discovery Session-confirmation

(PADS) packet. The destination address field is the unicast Ethernet address

of the client that sends the PADR packet. The code field is set to 0x65 and the



In the PPPoE session establishment process, PPP LCP negotiation is

performed, at which point the maximum receive unit (MRU) is negotiated.

Ethernet typically has a maximum payload size of 1500 bytes, where the

PPPoE header is 6 bytes, and the PPP Protocol ID is 2 bytes, the PPP

maximum receive unit (MRU) cannot be greater than 1492 bytes since this will



The PPPoE Active Discovery Terminate (PADT) packet can be sent anytime

after a session is set up to indicate that a PPPoE session is terminated. It can

be sent by the client or access server. The destination address field is a

unicast Ethernet address. The Code field is set to 0xA7 and the session ID

must be set to indicate the session to be terminated. No tag is required in the



Three individual steps are required in the configuration of a PPPoE client,

beginning with the configuration of a dialer interface. This enables the

connection to be established on demand and a session connection to be

disconnected after remaining idle for a period of time. The dialer-rule

command enables the dialer-rule view to be accessed from which the dialer-



The second step involves the establishment of the PPPoE session binding of

the dialer bundle to the interface over which negotiation is to take place for the

configured dialer parameters. The pppoe-client dial-bundle-number <number>

command is used to achieve this where the number refers to the bundle

number configured as part of the dialer parameters



The display interface dialer command is used to verify the current status of the

dialer configuration and allows for the locating of faults on a dialer interface.

The dialer current state of UP identifies that the physical status of the interface

is active, while a DOWN state would confirm that a fault currently exists. The

line protocol state refers to the link layer protocol status for which an UP status



The display pppoe-client session summary command provides information

regarding the PPPoE sessions on the Point-to-Point Protocol over Ethernet

(PPPoE) client, including the session status and statistics. Two examples are

given to highlight the difference between the PPPoE session states. The ID

represents the PPPoE ID while the bundle ID and Dialer ID are related to the



Much of the implementation of PPPoE has focused on a general point-to-point

connection reflective of a typical lab environment however in real world

applications the PPPoE client often represents the gateway between an

enterprise network and the Wide Area Network (WAN), to which external

destinations and resources are accessed



1. Ethernet has a maximum payload size of 1500 bytes, however when used

together with PPPoE requires an additional 6 bytes as well as another 2

bytes for the PPP protocol ID, that causes the size of the frame to exceed

the maximum supported payload size. As such the LCP negotiated MRU

of a PPPoE frame must be no larger than 1492 bytes



One of the main issues that has faced the expanding network has been the

progressive depletion of IP addresses as a result of growing demand. The

existing IPv4 addressing scheme has struggled to keep up with the constant

growth in the number of devices that continue to make up the public IP

network which is commonly recognized as the Internet IPv4 addressing has



Network Address Translation (NAT) uses the generally established boundary

of the gateway router to identify network domains for translation. Domains are

considered to be either internal private networks or external public networks

between which NAT is performed. The main principle lies in the reception of

traffic with a source address that is in the private network and a destination



A number of implementations of NAT are possible and are capable of being

applied to a variety of different situations. Static NAT represents a direct one-

to-one mapping that allows the IP address of a specific end system to be

translated to a specific public address. On a large scale the one-to-one

mapping of static NAT does not do anything to alleviate the address shortage



Dynamic NAT works on the principle of address pools by which internal end

systems wishing to forward traffic across the public network are capable of

associating with a public address from an address pool. End systems requiring

to communicate with destinations in the public network domain must associate

with a unique public address that is attainable from the public address range



In addition to the many-to-many address translation found within Dynamic

NAT, Network Address Port Translation (NAPT) can be used to implement

concurrent address translation. NAPT allows multiple internal addresses to be

mapped to the same public address. It is also called many-to-one address

translation or address multiplexing NAPT maps IP addresses and interfaces



Easy IP is applied where hosts on small-scale local area networks require

access to the public network or Internet. Small-scale LANs are usually

deployed where only a few internal hosts are used and the outbound interface

obtains a temporary public IP address through dial-up. The temporary public

IP address is used by the internal hosts to access the Internet Easy IP allows



NAT can shield hosts on private networks from public network users. When aprivate network needs to provide services such as web and FTP services forpublic network users, servers on the private network must be accessible topublic network users at any time.

The NAT server can address the preceding problem by translating the publicIP dd d t b t th i t IP dd d t b b d



Static NAT indicates that a private address is statically bound to a public

address when NAT is performed. The public IP address in static NAT is only

used for translation of the unique and fixed private IP address of a host. The

nat static [protocol {<tcp>|<udp>}global { <global-address >| current-interface

<global-port>} inside {<host-address> <host-port >} vpn-instance <vpn-



The configuration of static NAT can be viewed through the display nat static

command. The command displays the network address translation information

with regards to the interface through which the address translation is

performed, the global and inside addresses which are translated along with

the used ports Where the ports are not defined a null result will be displayed



The configuration of dynamic network address translations involves

implementation of the nat outbound command. It relies on the prior

configuration of a network access control list that is used to specify a rule to

identify specific traffic to which an event or operation will be applied. The

details regarding access control lists are covered in a later unit An association



Two specific display commands will enable the detailed information regarding

the dynamic address translation to be verified. The display nat address-

group<group-index> command allows the general network address translation

pool range to be determined. In addition the display nat outbound command

will provide specific details for any dynamic network address translation



The Easy IP configuration is very similar in configuration to that of dynamic

network address translation, relying on the creation of an access control list

rule for defining the address range to which translation is to be performed and

application of the nat outbound command. The main difference is in the

absence of the address group command since no address pool is used in the



The same display nat outbound command can be used to observe the results

of the nat outbound configuration and verify its correct implementation. The

interface and access control list (ACL) binding can be determined as well as

the interface (in this case) for the outbound translation. The type listing of

easyip makes it clearly understood when Easy IP has been successfully



Where it is necessary to provide internal access to external users such as in

the case of a public server which is part of an internal network, the NAT server

configuration can be performed to enable traffic destined for an external

destination address and port number to be translated to an internal destination

address and port number



The display nat server command details the configuration results to verify the

correct implementation of the NAT server. The interface defines the point at

which the translation will occur. The global and inside IP addresses and

associated port numbers can be verified. In this case the global address of

202 10 10 1 with a port number of 80 (www) will be translated to an inside



1. The NAT internal server configuration will allow a unique public address to

be associated with a private network server destination, allowing inbound

traffic flow from the external network after translation. Internal users are

able to reach the server location based on the private address of the

server



Wireless Wide Area Networks (WWAN) have become a central part of theworlds communications infrastructure, allowing for the evolution of the mobilenetwork for which various call and data services are becoming increasinglyprominent in everyday life. The WWAN is comprised of a multitude oftechnologies and standards that allow for near ubiquitous voice and data

communication globally Communication is commonly achieved through a



The evolved support of packet switching in mobile networks has provided a

new avenue for communications with remote workers that may often be

stationed beyond the range of an existing enterprise network and any WLAN

solutions that may be implemented. One of the major concerns has often been

with regards to the speed and services that are capable of being supported by



Enterprise networks are able to utilize the packet switched capabilities of the

3G network as a method of redundancy through which network failover can be

supported in the event that the main service becomes unavailable. One of the

limitations that exists with Wireless WAN solutions is the associated costs that

limit the use as an “always on” solution however where business continuity is



Support for WWAN solutions on the AR2200 series router is achieved through

the implementation of supported hardware including the 3G-HSPA+7 interface

card that allows interfacing with 2G and 3G networks. The 3G-HSPA+7

interface card provides two 3G antenna interfaces to transmit and receive 3G

service data One interface is the primary interface and the other is the



A 3G cellular interface is a physical interface supporting 3G technology. It

provides users with an enterprise-level wireless WAN solution. After

configuring 3G cellular interfaces, voice, video, and data services can be

transmitted over the 3G network, providing a variety of WAN access methods

for enterprises



The dial control centre (DCC) is implemented in order to allow the link to

activate the cellular connection. The dialer-rule command initiates the dialer-

rule view where the rules are defined to enable IPv4 traffic to be carried over

the interface with which the dialer group is associated. The dialer-rule

<number> command refers to the dialer access group number Under the



NAT is required to allow packets generated with a source address in the

private address range of internal users to be translated to the public address

of the cellular interface. As only one cellular interface address exists, Easy IP

is implemented to allow the range of internal users to make full use of a single

interface address thro gh port address translation



Following the successful configuration of the parameters for establishing the

3G network through the circular DCC and PPP negotiation, an IP address will

be assigned to the cellular interface. The results of the established connection

can be verified through the display interface cellular command where the state

f th i t f d th ti t d dd b d t i d If IP



The display nat outbound command can again be used to validate the

configuration of Easy IP in relation to the establishment of the cellular backup

link. The output verifies that the cellular interface is implementing Easy IP for

address translation, as well as providing verification of the external WAN link

dd t hi h i t l ( i t t k) dd b i t l t d



1. In the event that the primary route fails, a default static route will provide

an alternative route via the cellular interface that will initiate the cellular

connection. The dial control center will support the initiation of the

connection that is negotiated over PPP.



Module 3

Securing the Enterprise Network



An Access Control List (ACL) is a mechanism that implements access control

for a system resource by listing the entities based on specific parameters that

are permitted to access the resource, as well as the mode of access that is

granted. In general, an ACL can be understood as a means for filtering, and

b li d t t l th fl f t ffi ll id tif t ffi t hi h



Where filtering is performed based on interesting traffic, there is no general

restriction made but instead additional operations are likely to be performed

which affects the current data. The example demonstrates a scenario where

inbound data is filtered based on certain criteria such as in this case, the

IP dd d h t l li t i f d t l t d t



There are three general ACL types that are defined as part of the ARG3

series, including basic, advanced and layer2 access control list types. A basic

ACL matches packets based on information such as source IP addresses,

fragment flags, and time ranges, and is defined by a value in the range of

2000 2999 A d d ACL id t f i



Access Control Lists work on the principle of ordered rules. Each rule contains

a permit or deny clause. These rules may overlap or conflict. One rule can

contain another rule, but the two rules must be different. The AR2200 supports

two types of matching order: configuration order and automatic order. The

t hi d d t i th i iti f th l i ACL R l i iti



The creation of a basic access control list requires that the administrator first

identify the traffic source to which the ACL is to apply. In the example given,

this refers to the source locations containing an IP address in the

192.168.1.0/24 range for which all packets containing a source IP address in

thi ill b di d d b th t I th f h t th t k



The validation of the configured basic ACL can be achieved through the

display acl <acl-number> where the acl-number refers to the basic ACL

number that has been assigned to the configured ACL. The resulting output

confirms the rules that have been created to deny (drop) any IP packets with

th IP dd i th 192 168 1 0/24 d it dd i i



Advanced access control lists enable filtering based on multiple parameters to

support a greater detailed route selection process. While a basic ACL provides

filtering based on the source IP address, Advanced ACL are capable of

filtering based on the source and destination IP, source and destination port

numbers, protocols of both the network and transport layer and parameters



The validation of the configured advanced ACL can be achieved through the

display acl <acl-number> where the acl-number refers to the advanced ACL

number that has been assigned to the configured ACL. The resulting output

confirms that three rules have been created to deny any TCP packets with the

/ f f



ACL can also be applied to the Network Address Translation (NAT) operation

to allow filtering of hosts based on IP addresses to determine which internal

networks are translated via which specific external address pools should

multiple pools exist. This may occur where an enterprise network is a

customer to connections from multiple service providers for which various



1. Advanced ACL are capable of filtering based on the source and

destination IP, source and destination port numbers, protocols of both the

network and transport layer and parameters found within each layer such

as IP traffic classifiers and TCP flag values (SYN|ACK|FIN etc).



Authentication, Authorization, and Accounting (AAA) is a technology that is

used to check whether a user can access a network, authorizes a user to

access and use specific services, and records the network resources used by

a user. Users can only use one or two security services provided by AAA. For

example, if a company wants to authenticate employees that access certain



AAA supports three authentication modes. Non-authentication completely

trusts users and does not check their validity. This is seldom used for obvious

security reasons. Local authentication configures user information, including

the user name, password, and attributes of local users, on a Network Access

Server (NAS). Local authentication has advantages such as fast processing



The AAA Authorization function is used to determine the permission for users

to gain access to specific networks or devices, as such AAA supports various

authorization modes. In non-authorization mode users are not authorized.

Local authorization however authorizes users according to the related

attributes of the local user accounts configured on the NAS. Alternatively,



The accounting process can be used to monitor the activity and usage of

authorized users who have gained access to network resources. AAA

accounting supports two specific accounting modes. Non-accounting can be

used, and provides free services for users without any record of users, or

activity logs.



The device uses domains to manage users. Authentication, authorization, and

accounting schemes can be applied to a domain so that the device can

authenticate, authorize, or charge users in the domain using the schemes.

Each user of the device belongs to a domain. The domain to which a user

belongs is determined by the character string suffixed to the domain name



The AR2200 router can be used as a Network Access Server (NAS) in orderto implement authentication and authorization schemes. The exampledemonstrates the typical process that is necessary in order to successfullyimplement local AAA. Users for authentication must be created using thelocal-user <user-name> password [cipher \simple]<password> privilege level



The configuration of the local AAA domain and schemes for both

authentication and authorization can be verified through the display domain or

display domain name <domain-name> commands. Using the display domain

command provides brief information regarding all domains that have been

created, including the domain name and a domain index that is used to



1. The AR2200 series router supports both authentication and authorizations

schemes, the accounting scheme requires the support of a HWTACACS

or RADIUS server.



Internet Protocol security (IPsec) is a protocol suite defined by the InternetEngineering Task Force (IETF) for securing Internet Protocol (IP)communication by authenticating and/or encrypting each IP packet of acommunication session. Two communicating parties can encrypt data and/orauthenticate the data originating at the IP layer to ensure data confidentiality,



IPsec uses two protocols to provide traffic security, Authentication Header

(AH) and Encapsulating Security Payload (ESP). The IP Authentication

Header (AH) provides connectionless integrity, data origin authentication, and

an optional anti-replay service. The Encapsulating Security Payload (ESP)

protocol may provide confidentiality (encryption), and limited traffic flow

AH supports an MD5 algorithm that takes as input, a message of arbitrary

length and produces as output a 128-bit "fingerprint" or "message digest" of

that input, while the SHA-1 produces a 160-bit message digest output. SHA-2

represents a next generation of authentication algorithms to extend security to

authentication following discovery of certain weaknesses within SHA-1.

Th t SHA 2 i t ffi i ll d fi d b t i ll d t f t th



The term SHA-2 is not officially defined but is usually used to refer to thecollection of the algorithms SHA-224, SHA-256, SHA-384, and SHA-512. The

AR2200 however provides support only to SHA-256, SHA-384 and SHA-512,

where the value represents the bit digest length.



A Security Association (SA) denotes a form of connection that is established in

a single direction through which security services relevant to the traffic are

defined. Security services are attributed to an SA in the form of either AH, or

ESP, but not both. If both AH and ESP based protection is applied to a traffic

stream, then two (or more) SAs are created to attribute protection to the traffic



A transport mode SA is a security association between two hosts. In IPv4, a

transport mode security protocol header appears immediately after the IP

header, any options, and before any higher layer protocols (e.g., TCP or

UDP). In transport mode the protocols provide protection primarily for upper

layer protocols. An AH or ESP header is inserted between the IP header and



In the IPsec context, using ESP in tunnel mode, especially at a security

gateway, can provide some level of traffic flow confidentiality. The outer IP

header source address and destination address identify the endpoints of the

tunnel. The inner IP header source and destination addresses identify the

original sender and recipient of the datagram, (from the perspective of this



The implementation of an IPsec Virtual Private Network (VPN) requires that

network layer reachability between the initiator and the recipient is verified to

ensure non-IPsec communication is possible before building any IPsec VPN.

Not all traffic is required to be subjected to rules of integrity or confidentiality,

and therefore traffic filtering needs to be applied to the data flow to identify the

An IPsec policy defines the security protocol, authentication algorithm,

encryption algorithm, and encapsulation mode for data flows by referencing an

IPsec proposal. The name and sequence number uniquely identify an IPsec

policy. IPsec policies are classified into IPsec policies used for manually

establishing SAs, and IPsec policies used for establishing SAs through IKE

negotiation



negotiation.To configure an IPsec policy used for manually establishing SAs, set

parameters such as the key and SPI. If the tunnel mode is configured, the IP

addresses for two endpoints of a security tunnel also must be set. When

configuring an IPsec policy used for establishing SAs through IKE negotiation,

parameters such as the key and SPI do not need to be set as they are

generated through IKE negotiation automatically. IPsec policies of the same

name but different sequence numbers comprise an IPsec policy group.

In an IPsec policy group, an IPsec policy with a smaller sequence number has

a higher priority. After an IPsec policy group is applied to an interface, all

IPsec policies in the group are applied to the interface. This enables different

SAs to be used for different data flows.



Communication at the network layer represents the initial prerequisite of any

IPsec VPN connection establishment. This is supported in this example

through the creation of a static route pointing to the next hop address of RTB.

It is necessary to implement static routes in both direction to ensure

bidirectional communication between networks. An advanced ACL is created



Verification of the parameters for the IPsec proposal can be achieved through

the display ipsec proposal [name <proposal-name>] command. As a result it is

possible to view select proposal or all proposals that have been created. The

name defines the name given to the IPsec proposal created, while the

encapsulation mode lists the current mode that is being used for this given



The policy-name and seq-number parameters identify an IPsec policy.

Multiple IPsec policies with the same IPsec policy name constitute an IPsec

policy group. An IPsec policy group contains a maximum of 16 IPsec policies,

and an IPsec policy with the smallest sequence number has the highest

priority. After an IPsec policy group is applied to an interface, all IPsec policies



Following the creation of a policy and the binding of the proposal and ACL to

the policy, the policy itself can be applied to the physical interface upon which

traffic will be subjected to IPsec processing. In the example given an IPsec

tunnel is to be established between interface Gigabit Ethernet 0/0/1 of RTA

and Gigabit Ethernet 0/0/1 of RTB. Under the interface view, the ipsec policy



Using the display ipsec policy [brief | name policy-name [ seq-number ] ]

command, a specific IPsec policy or all IPsec policies can be viewed. The

parameters of the IPsec policy displayed include the policy name and the

sequence number of the policy, typically used to distinguish the priority of

policies in a group where a lower sequence number represents a higher



Specific parameter settings are also defined within the display ipsec policy

command for SA in both the inbound and outbound directions. The SPI

references the SA in each direction which can be used as part of the

troubleshooting process to ensure that the SPI on the outbound local interface

matches to that set for the inbound remote interface on the peer interface (that



1. A security association can be understood as a unidirectional connection or

management construct that defines the services that will be used in order

to negotiate the connection’s establishment. The connection relies on

matching SA in both directions in order to successfully establish secure

bidirectional communication.



Cost effective solutions for private internetwork communication have utilized

technologies such as IPsec to enable shared public networks to act as a

medium for bridging the gap between remote offices. This solution provides

secure transmission to IP packet payloads but does not enable routing

protocols such as RIP and OSPF to be carried between the two tunnel



GRE can be applied within an autonomous system to overcome certain

limitations found in IGP protocols. RIP routes offer for example a hop limit of

15 hops beyond which all routes are subjected to the count to infinity rule. The

application of GRE in such environments will allow for a tunnel to be created

over which routing updates can be carried, allowing the scale of such distance



One of the major limitations of GRE is in its lack of ability to secure packets as

they are carried across a public network. The traffic carried within a GRE

tunnel is not subjected to encryption since such features are not supported by

GRE. As a result IPsec solutions are employed together with GRE to enable

GRE tunnels to be established within IPsec tunnels to extend features



After receiving a packet from the interface that is connected to the private

network, the packet is delivered to the private network protocol module for

processing. The private network protocol module checks the destination

address field in the private network packet header, searches the outgoing

interface in the routing table or forwarding table of the private network, and

The egress interface delivers the packet to the GRE module for processing.

The GRE module removes the IP header and the GRE header, and learns

from the Protocol Type field in the GRE header that the passenger protocol is

the protocol run on the private network, the GRE module then delivers the

packet to this protocol. The protocol itself handles the packet as with any

ordinary packet.



y p



Key authentication indicates the authentication on a tunnel interface. This

security mechanism can prevent the tunnel interface from incorrectly

identifying and receiving the packets from other devices. If the K bit in the

GRE header is set to 1, the Key field is inserted into the GRE header. Both the

receiver and the sender perform the key authentication on the tunnel.



The keepalive detection function is used to detect whether the tunnel link is in

the keepalive state at any time, that is, whether the peer of the tunnel is

reachable. If the peer is not reachable, the tunnel is disconnected to prevent

black holes occuring. After the Keepalive function is enabled, the local end of

the GRE tunnel periodically sends a keepalive detection packet to the peer. If



The running status and routing information for the GRE tunnel interface can be

observed following the creation of the tunnel interface. An active tunnel

interface can be confirmed when the tunnel’s current state and link layer (line)

protocol state are both showing as UP. Any adjustment to the existing MTU

can be identified to ensure that additional overhead is not created as a result



The reachability of networks over the GRE tunnel can be determined based on

the IP routing table that is viewed using the display ip routing table command.

In this case it is possible to identify the internal source network address of a

local network, and its ability to reach the destination network address of a

remote network over a GRE based tunnel interface. The destination address



The keepalive function can enabled on the GRE tunnel interface by specifying

the keepalive [period <period> [retry-times <retry-times> ] ] command, where

the period determines the number of seconds taken before each keepalive is

sent, this by default is set to a period of 5 seconds. The number of times for

which a keepalive will be sent is defined using the retry-times <retry-times>



The display interface tunnel command can again be applied to assess whether

the tunnel is still active following a loss of communication between the GRE

tunnel endpoints. In the example it is found that the link layer status of the

GRE tunnel has transitioned to a down state denoting that a failure in

communication has occurred. The keepalive function is currently enabled and



1. GRE provides a means for establishing dynamic routing between remote

networks that commonly belong to a single administrative domain such as

in the case of branch offices. IPsec VPN is generally used to provide a

site-to-site private tunnel over which routing dynamic information may

wish to be transmitted, however IPsec VPN tunnels will not support the



Module 4

Enterprise Network Management

Solutions



The Simple Network Management Protocol (SNMP) is a network management

protocol widely used in the TCP/IP network. SNMP is a method of managing

network elements using a network console workstation which runs network

management software.

SNMP may be used to achieve a number of communicative operations The



Network elements such as hosts, gateways, terminal servers etc, contain two

important components that support the network management functions

requested by the network management stations. The management agent

resides on the network element in order to retrieve (get) or alter (set)

variables.



A Management Information Base (MIB) specifies the variables maintained by

network elements. These variables are the information that can be queried

and set by the management process. A MIB presents a data structure,

collecting all possible managed objects over the network. The SNMP MIB

adopts a tree structure similar to that found in a Domain Name System (DNS).



SNMP defines five types of Protocol Data Units (PDUs), namely, SNMP

packets, to be exchanged between the management process and the agent

process. The get-request operation indicates that the management process

reads one or more parameter values from the MIB of the agent process. The

get-next-request indicates that the management process reads the next



SNMPv1 is the original application protocol by which the variables of an

agent's MIB may be inspected or altered. The evolution of SNMP involved not

only changes to the protocol but also the MIB that was used. New objects

were defined in the MIB resulting in MIB-II (or MIB-2) being defined, including

for example sysContact. sysName, sysLocation, sysServices to provide

To resolve this, new counters were defined in SNMP version 2c in the form of

64 bit counters for any situations where 32 bit counters wrap too fast, which

translated to any interface that counts faster than 650 million bits per second.

In comparison, using a 64 bit counter for counting octets on a 1Tbps (1,000

Gbps) will wrap in just under 5 years, and it would take an 81,000,000 Tbps

link to cause a 64-bit counter to wrap in 30 minutes.



One of the key improvements to SNMPv3 is with regards to security of the

transmission of MIB object information. Various threats can be identified.

These include modification of object information from an unauthorized entity

during transit, the performing of unauthorized management operations by

users masquerading as another authorized user; eavesdropping on message



The SNMP agent is an agent process on a device on the network. The SNMP

agent maintains managed network devices by responding to NMS requests

and reporting management data to the NMS. To configure SNMP on a device,

the SNMP agent must be enabled, for which the snmp-agent command is

applied.



Using the display snmp-agent sys-info command displays contact information

of personnel responsible for the system maintenance, the physical location of

the device, and currently supported SNMP version(s). The given information in

the example represents the typical default system information found within

Huawei AR2200 series routers, however this can be altered through the use of



1. In the Huawei AR2200 series router, all versions of SNMP (SNMPv1,

SNMPv2c and SNMPv3) are enabled by default.

2. The agent forwards trap messages to the Network Management Station

(NMS) i UDP d ti ti t 162



The eSight system is developed by Huawei for the management of enterprise

networks, such as enterprise park, campus, branch, and data center networks.

It implements unified management of - and intelligent interaction between -

enterprise resources, services and users. In addition, eSight can manage

devices from multiple manufacturers, including network devices from Huawei,



eSight can manage devices from multiple manufacturers, monitor and analyze

and manage network services and elements. The SLA Manager for example

diagnoses network links immediately or at the scheduled time through SLA

tasks, which facilitates assessment of network service quality. The Network

Traffic Analyzer (NTA) analyzes network traffic packets based on the packet



eSight allows administrators to ensure the security of device configuration files

by providing the functions for backing up and restoring device configuration

files. FTP operates as a service within eSight and from which the FTP service

parameters are configured. This includes parameters such as the username

and password used to access the FTP service, the location within eSight



As part of the standard edition, the WLAN Manager manages wireless

resources, for example, access controllers (ACs) and access points (APs) and

configurations of wireless campus networks, diagnoses device and network

faults, and displays both wired and wireless resources in topology views.

The WLAN Manager is capable of delivery and deployment of AP services end



Each AP generates radio spectrum signals that are susceptible to

interference. After the AP radio spectrum function is enabled on devices,

users can view the signal interference information around APs in the NMS.

Users are able to judge the channel quality and surrounding interference

sources on spectrum charts. Spectrum charts include real-time, depth,



eSight Network Traffic Analyzer (NTA) enables users to detect abnormal

traffic in a timely manner based on the real-time entire-network application

traffic distribution, and plan networks based on the long-term network traffic

distribution. As such NTA can implement transparent network management.

eSight NTA allows users to configure devices, interfaces, protocols,



NTA provides the traffic dashboards function, and displays the real-time traffic

for the entire-network. The dashboard offers rankings for interface traffic,

interface utilization, device traffic, application traffic, host traffic, DSCP traffic,

and session traffic, for which it is possible to customize the display format and

view specific content, by drilling down through the network traffic analysis



The eSight NMS allows report information to be represented in a number of

formats for representation of traffic and other analysis data. Report formats

such as Pie, Chart, Table, Line, Graph, and Region can be supported for

displaying the report information. General summary types are also defined

such as Application summary, Session summary, DSCP summary, Source



1. The eSight network management platform editions include compact,

standard, and professional editions.



Module 5

Supporting IPv6 Networks



As a set of specifications defined by the Internet Engineering Task Force(IETF), Internet Protocol version 6 (IPv6) is the next-generation network layerprotocol standard and the successor to Internet Protocol version 4 (IPv4). Themost obvious difference between IPv6 and IPv4 is that IP addresses arelengthened from 32 bits to 128 bits. In doing so, IPv6 is capable of supportingan increased number of levels of addressing hierarchy a much greater



The IPv6 header required some level of expansion to accommodate the

increased size of the IP address, however many other fields that were

considered redundant in many cases of packet forwarding were removed in

order to simplify the overall design of the IPv6 header, and optimize the level

of overhead that is necessary during each packet that is forwarded across the

As IP network convergence introduces technologies such as voice that relies

on a circuit switched traffic flow behavior and near real time performance, the

importance of the flow label field becomes more paramount.

Various options can also now be supported without changing the existing

packet format, with the inclusion of extension header information fields. These

extension header fields are referenced through the Next Header field thatreplaces the protocol field found in IPv4, in order to provide additional flexibility

in IPv6.



The extension header is one of the primary changes to IPv6 for enabling the

IPv6 header to be more streamlined. There are a number of extension

headers that exist in IPv6 and are referenced directly through a hexadecimal

value in the IPv6 Next Header field, in the same way that ICMP, TCP, UDP

headers are referenced in the protocol field of the IPv4 header. Each



The IPv6 address is a 128 bit identifier that is associated with an interface or a

set of interfaces as (in the case of anycast address assignment covered later).

The address notation due to size is commonly defined in hexadecimal format

and written in the form of xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, where the

xxxx relates to the four hexadecimal digits that translate to a 16 bit binary



The extensive 128 bit size of the IPv6 address means that the general written

notation can be impractical in many cases. Another factor that will remain

common for quite some time is the presence of long strings of zero bits,

primarily due to the unfathomable enormity of the address scale involved. This

however brings a means for simplification and practicality when writing IPv6



Some special addresses also exist within IPv6 including the unspecified

address ::/128 which represents an interface for which there is no IP address

currently assigned. This should not be confused however with the default IP

address ::/0 which is used as a default address value for any network in the

same way the 0.0.0.0/0 default address is used within IPv4. For the loopback

address (127.0.0.1), this is defined in IPv6 as the reserved address ::1/128.



Unicast addressing comprises primarily of global unicast and link local unicast

address prefixes. A global unicast address (2000::/3) can be clearly

distinguished by the fixed first three bits of the address prefix (001). The

address format also is designed to comprise of multiple levels of hierarchy in

the form of a global routing prefix and a subnet identifier, followed by the



A multicast address is an identifier for a set of interfaces (typically belonging to

different nodes). A packet sent to a multicast address is delivered to all

interfaces identified by that address. The multicast address range is

determined from a FF00::/8 address prefix and is clearly distinguishable from

the first 8 bits which are always set to 11111111. The address architecture for



Anycast represents an identifier for a set of interfaces (typically belonging to

different nodes). A packet sent to an anycast address is delivered to one of the

interfaces identified by that address (the "nearest" one, according to the

routing protocols' measure of distance). The anycast architecture commonly

involves an anycast initiator and one or multiple anycast responders.

In terms of performance, multi-server access can be applied, where an

anycast initiator establishes a connection to the same unicast address, each

connection automatically establishes to multiple servers that specify the same

anycast address such as in the case of a client browsing a company web

page.

The client will download the html file and individual image files from separate

mirror servers. As a result, the anycast initiator utilizes bandwidth from

multiple servers to download the web page much more quickly than is possible

with a unicast approach



with a unicast approach.



Upon physically establishing with an IPv6 network, hosts must establish a

unique IPv6 address and associated parameters such as the prefix of the

network. Routers send out Router Advertisement messages periodically, and

also in response to Router Solicitations (RS) to support router discovery, used

to locate a neighboring router and learn the address prefix and configuration



In order to facilitate communication over an IPv6 network, each interface must

be assigned a valid IPv6 address. The interface ID of the IPv6 address can be

defined either through manual configuration by a network administrator,

generated through the system software, or generated using the IEEE 64-bit

Extended Unique Identifier (EUI-64) format.



Before an IPv6 unicast address is assigned to an interface, Duplicate Address

Detection (DAD) is performed to check whether the address is used by

another node. DAD is required if IP addresses are configured automatically.

An IPv6 unicast address that is assigned to an interface but has not been

verified by DAD is called a tentative address. An interface cannot use the



1. The address 2001:0DB8:0000:0000:0000:0000:032A:2D70 can be

condensed to 2001:DB8::32A:2D70. The double colon can be used to

condense strings of zeroes that are often likely to exist due to the

unfathomable size of the IPv6 address space, but may only be used once.

Leading zero values can be condensed, however trailing zero values in



RIPng represents the next generation of distance vector routing for IPv6. It is

largely based on the distance vector principles associated with prior IPv4

versions of RIP and applies the same distance vector principles. The protocol

maintains many of the same conditions including a network diameter of 15

hops beyond which networks become “unreachable” as a result of the “count

One of the main concerns with this is that where EUI-64 is used to define the

link local address, the link local address may change any time that an

interface card is replaced since the MAC of the interface will also change. It is

possible however to manually define the link local address and is generally

recommended to provide stability, or alternatively the global unicast

addressing can be manually defined. If a global unicast address is applied to

the logical interface, the link local addressing may not be automatically definedon the physical interfaces by the router. Where this occurs the ipv6 address

auto link-local command can be used on the physical interface.



RIPng is, as with prior IPv4 versions, a UDP-based protocol with a RIPng

routing process on each router that sends and receives datagrams on UDP

port number 521. All routing update messages are communicated between the

RIPng ports of both the sender and the receiver, including commonly periodic

(unsolicited) routing update messages. There may be specific queries sent



In order to implement RIPng on the router it is first necessary that the router

establish support for IPv6 at the system view. The system view command ipv6

should be implemented to achieve this. At the interface view IPv6 capability is

disabled by default, therefore the ipv6 enable command must be used to

enable IPv6 for each interface and allow the forwarding of IPv6 unicast



Using the display ripng command, the process instance will be shown along

with the parameters and the statistics for the instance. RIPng supports a

preference of 100 by default and maintains an update period of 30 seconds as

found in IPv4 instances of RIP. The operation of RIPng can be verified by the

sending of periodic updates, however these alone may not contain any routes



OSPFv3 is the version of OSPF that is used over IPv6 networks, and in terms

of communication, assumes that each router has been assigned link-local

unicast addresses on each of the router's attached physical links. OSPF

packets are sent using the associated link-local unicast address of a given

physical interface as the source address. A router learns the link-local



The router ID plays a prominent role in OSPFv3 and is now always used to

identify neighboring routers. Previously, they had been identified by an IPv4

address on broadcast, NBMA (Non-Broadcast Multi-Access), and point-to-

multipoint links. Each router ID (as well as the area ID) is maintained as a 32

bit dotted decimal value and cannot be configured using an IPv6 address.



IPv6 refers to the concept of links to mean a medium between nodes over

which communication at the link layer is facilitated. Interfaces therefore

connect to links and multiple IPv6 subnets can be associated with a single

link, to allow two nodes to communicate directly over a single link, even when

they do not share a common IPv6 subnet (IPv6 prefix). OSPFv3 as a result



Authentication in OSPFv3 is no longer supported, and as such the

authentication type and authentication (value) fields from the OSPF packet

header no longer exist. As of IPv6, changes to the IP header have allowed for

the utilization of security protocols that were only present in IPv4 as part of the

IPsec suite, since initial TCP/IP development in the late 1960’s was never



Implementing OSPFv3 between peers requires, as with RIPng, that the router

firstly be capable of supporting IPv6. Additionally the router must also enable

the OSPFv3 protocol globally in the system view. Each interface should be

assigned an IPv6 address. During the configuration of RIPng it was

demonstrated how the interface can be automatically configured to assign a



Following the configuration of neighboring routers participating in OSPFv3, the

display ospfv3 command is used to verify the operation and parameters

associated with OSPFv3. Each router will show a running OSPFv3 process

and a unique router ID. If the adjacency between neighbors is established, the

number of FULL (state) neighbors will show a value greater than zero.



1. RIPng listens for route advertisements using UDP port 521.

2. A 32-bit router ID is used to uniquely distinguish each node running

OSPFv3.



The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is a technologythat dynamically manages and configures IPv6 addresses in a centralizedmanner. It is designed to assign IPv6 addresses and other networkconfiguration parameters to hosts. DHCPv6 uses the client/server model. Aclient requests configurations such as the IPv6 address and DNS serveraddress from the server the server replies with requested configurations



Prior to the allocation of addresses, it should be clearly understood that an

IPv6 node (client) is required to generate a link-local address and be

successfully evaluated by the Duplicate Address Detection (DAD) process.

Following this, a link router discovery process is involved, for which the IPv6

client node broadcasts a Router Solicitation (RS) message, and the link router



Client nodes initiated on a network supporting stateful addressing may be

serviced by one or more DHCPv6 servers. The IPv6 client uses a link-local

address assigned to the interface for which it is requesting configuration

information as the source address in the header of the IPv6 datagram.

The multicast address FF02::1:2 is a reserved multicast address that



Obtaining stateful addressing and other parameters from a DHCPv6 server

requires a series of messages be sent. A client initially sends a solicit

message to locate servers, from which addressing and configuration

parameters can be received.

Following the solicit message a DHCPv6 server supporting the link will



DHCP may also be employed to support stateless configuration in the event

where a host is capable of retrieving IPv6 addressing information through

stateless configuration means, and requires only specific configuration

parameters from the DHCPv6 server. In such events Information-request

messages are generated, and sent by clients to a server to request



A DHCP Unique Identifier (DUID) is a value that is used to distinguish

between each client and DHCP server, for which only one DUID is present in

each case. Clients may have one or multiple interfaces for which each will be

assigned an IPv6 address along with other configuration parameters and is

referenced using an Identity Association Identifier (IAID). These are used



The DUID format can be assigned through the dhcpv6 duid command, for

which either the DUID-LL or DUID-LLT format can be applied. The DUID-LL

format is applied by default. For the DUID-LLT, the timestamp value will

reference the time from the point at which the dhcpv6 duid llt command is

applied. The display dhcpv6 duid command can be used to verify the current



The implementation of stateful addressing requires that an address pool be

defined with a typical address prefix defined for the given range, as well as

pool specific parameters. The example demonstrates how a pool is created

with the defining of a pool and associated pool name, as well as the address

prefix from which the range of host addresses will be allocated.



A created DHCPv6 pool is required to be associated with an interface through

which it will service DHCP clients. An IPv6 address is assigned to the

interface of the DHCPv6 server and the interface then associated with the

address pool. In this case the excluded address value has been used to

represent the interface address in order to ensure no attempts are made by



The resulting configuration of the DHCPv6 server can be clarified through the

display dhcpv6 pool command, from which point the defined pool(s) can be

identified and the address prefix associated with the pool determined.

Additional information such as the lifetime can be viewed, for which the default

lifetime of a leased address is 86400 seconds, or 1 day and can be



1. The AR2200 series router is capable of supporting Link Layer (DUID-LL)

and Link Layer with Time (DUID-LLT) formats.

2. When a router advertisement is received containing M and O bit values

t t 1 th h t ill f di f DHCP 6 f t t f l



The privilege of HCNA/HCNP/HCIE:With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:

1

Comprehensive E-Learning Courses

Content：All Huawei Career Certification E-Learning courses

Methods to get the E-learning privil g : submit Huawei Account and email being used for Huawei Account

registration to [email protected] .

2

Training Material Download

Content: Huawei product training material and Huawei career certification training material

Method：Logon http://learning.huawei.com/en and enter HuaWei Training/Classroom Training ,then you can

download training material in the specific training introduction page.









3 Priority to participate in Huawei Online Open Class LVC)

Content：The Huawei career certification training covering all ICT technical domains like R&S, UC&C, Security,

Storage and so on, which are conducted by Huawei professional instructors

hcna-hntd v2.0 intermediate materials (march 17,2014)

Documents